How Secure is SIP?

New to VOIP but can anyone tell me how secure is SIP especially if
using it from a public hotspot or in a hotel.

VOIP providers claim it is more secure than an standard phone line as
the packets have no meaningful identifying information in them and as
they are routed through many channels it would very hard to capture
information although, if you're using a SIP phone in a public area like
a hotspot or hotel surly your phone call could be intercepted?

Advertisements

"Jimbo" <> wrote in message
news:...
> Hello
>
> New to VOIP but can anyone tell me how secure is SIP especially
> if using it from a public hotspot or in a hotel.

As it's used today, not at all. There are protocols for securing bot
signalling (Secure SIP, i.e. SIP-over-TLS) and media flows (SRTP) but they
are only rarely used.
> VOIP providers claim it is more secure than an standard phone line as
> the packets have no meaningful identifying information in them and as
> they are routed through many channels it would very hard to capture
> information

Sounds like standard sales pitch to me Have a look at these proofs of
concept:

Yes, unless you use countermeasures, which however require concerted action
by both endpoints. As long as you do peer-to-peer VoIP that's quite possible
(see e.g. http://www.philzimmermann.com/EN/zfone/ for SIP-based softphones,
or http://www.amicima.com/ for a non-standard but easy-to-use and - unlike
Skype - opensource and therefore verifiable solution); but if you require
PSTN termination, or simply provider-based service, you won't find any
provider willing to secure your communications, also because U.S. CALEA
regulations (http://www.eff.org/Privacy/Surveillance/CALEA/ ) force public
services to be easy to eavesdrop by three-letter agencies...

Advertisements

Jimbo wrote:
> New to VOIP but can anyone tell me how secure is SIP especially if
> using it from a public hotspot or in a hotel.

Depends on your understanding of "secure". Except for the password used
when you register to the SIP server, all other traffic is usually not
encrypted and can easily be sniffed and evaluated. The password hashing
mechanisms are not too fancy either, so with a short password, a brute
force attack could be successful within reasonable time. This is of
course ciritical if the provider generates a fixed length password,
which can not be modified by the customer. One German provider is e.g.
using assigned, fixed length 6 character passwords. With a simple,
non-optimized Java program, I would be able to scan the entire password
space in about 50 days with my two year old desktop computer. If you use
a couple of current high-end computers and an optimized tool and you're
down to days for finding the cleartext password for a sniffed
registration attempt.

The only thing preventing this is processor power - at least to encrypt
across the 'net and up to the PSTN, right? I'm waiting for my PSTN
provider to clear some colo space and then I plan to offer encrypted
VoIP. It'll be on a small scale for some special customers but it seems
reasonable to expect that larger providers could do it.

Share This Page

Welcome to Velocity Reviews!

Welcome to the Velocity Reviews, the place to come for the latest tech news and reviews.

Please join our friendly community by clicking the button below - it only takes a few seconds and is totally free. You'll be able to chat with other enthusiasts and get tech help from other members.
Sign up now!